1. Field of the Invention
The present invention pertains generally to network communications, and in particular to a system and method for regulating the flow of internetwork connections through a firewall.
2. Background Information
Firewalls have become an increasingly important part of network design. Firewalls provide protection of valuable resources on a private network while allowing communication and access with systems located on an unprotected network such as the Internet. In addition, they operate to block attacks on a private network arriving from the unprotected network by providing a single connection with limited services. A well designed firewall limits the security problems of an Internet connection to a single firewall computer system. This allows an organization to focus their network security efforts on the definition of the security policy enforced by the firewall. An example of a firewall is given in "SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES", U.S. patent application Ser. No. 08/322078, filed Oct. 12, 1994 by Boebert et al., allowed, the description of which is hereby incorporated by reference. A second example of such a system is described in "SYSTEM AND METHOD FOR ACHIEVING NETWORK SEPARATION", U.S. application Ser. No. 08/599,232, filed Feb. 9, 1996 by Gooderum et al., pending, the description of which is hereby incorporated by reference. Both are examples of application level gateways. Application level gateways use proxies operating at the application layer to process traffic through the firewall. As such, they can review not only the message traffic but also message content. In addition, they provide authentication and identification services, access control and auditing.
Access Control Lists, or ACLs, are lists of rules that regulate the flow of Internet connections through a firewall. These rules control how a firewall's servers and proxies will react to connection attempts. When a server or proxy receives an incoming connection, it performs an ACL check on that connection.
An ACL check compares the source and destination IP address of the connection against a list of ACL rules. The rules determine whether the connection is allowed or denied. A rule can also have one or more side effects. A side effect causes the proxy to change its behavior in some fashion. For example, a common side effect is to redirect the destination IP address to an alternate machine.
Sidewinder, Version 2.0, is a firewall which is an example of a system which uses an ACL check to regulate the flow of Internet connections through its firewall. ACLs in Sidewinder 2.0 are stored in a file, /etc/sidewinder/acl.conf. The file is read by all of the servers and proxies on the Sidewinder firewall. A line in the file either allows or denies a connection based on the connections source IP address, destination IP address, and destination port number. Some examples are shown below:
______________________________________ allowed.sub.-- flow( source.sub.-- addr(net.sub.-- addr(*.*.*.* 0 internal)) dest.sub.-- addr(net.sub.-- addr(*.*.*.* 0 external)) service (ftp tcp) 0.0.0.0 0) ______________________________________
This rule allows access from any client located in the internal security domain to any ftp server located in the external security domain.
______________________________________ allowed.sub.-- flow( source.sub.-- addr(net.sub.-- addr(*.*.*.* 0 internal)) dest.sub.-- addr(net.sub.-- addr(*.*.*.* 0 external)) service (http tcp) 0.0.0.0 0) denied.sub.-- flow( source.sub.-- addr(net.sub.-- addr(*.*.*.* 0 internal)) dest.sub.-- addr(net.sub.-- addr=(174.252.1.1 0 external)) service(http tcp) 0.0.0.0 0) ______________________________________
The first rule allows http access from the internal security domain to all Web servers in the external security domain. The second rule denies access to a specific web server located at 174.252.1.1.
______________________________________ allowed.sub.-- flow( source.sub.-- addr(net.sub.-- addr(*.*.*.* 0 external)) dest.sub.-- addr(net.sub.-- addr(192.168.1.192 0 external)) service(nntp tcp) 172.17.192.48 0) ______________________________________
This rule intercepts all incoming connections that go the external side of the local Sidewinder (192.168.1.192) and redirects them to shade.sctc.com (172.17.192.48).
In general, ACL rules used in Sidewinder, Version 2.0, have the following matching criteria:
The source IP address. This can be expressed as a subnet by indicating the number of significant bits in the address. PA1 The source security domain. This is always either "internal" or "external". PA1 The destination IP address. PA1 The destination security domain, again either "internal" or "external". PA1 The service name. The names and protocols of the services are obtained from the file /etc/services. and they have the following two side effects: PA1 Redirect the IP address to a different machine. PA1 Redirect the port number to a different port.
A connection from a specific IP source address to a specific IP destination address is denied unless there is a rule that allows the connection and there is no entry that denies the connection. The order of entries in the list does not matter.
An ACL approach like that used in Sidewinder 2.0 has a number of limitations. For instance, since all ACL rules in that firewall system are specified using only IP addresses, there is no way to specify a host name. A rule can have only one source, one destination and one service; a separate rule is needed for each service and for each workstation. Therefore, to block access to several web sites you need to create a separate rule for each one. Furthermore, a site with five services and 1,000 workstations may need 5,000 rules. This can slow performance.
In addition, the use of static IP addresses creates a problem for a site that uses Microsoft Windows NT Server and DHCP (Dynamic Host Configuration Protocol) with desktop personal computers (PCS). The DHCP server assigns an arbitrary IP address from a pool when each PC boots up. It is impossible to assign an ACL rule to a particular PC because its IP address is not fixed.
In addition, there is no place to store a user name. The granularity of access control is on a per-host basis.
Sidewinder 2.0 stores a complete copy of the full access control list in the memory of every proxy. If the number of rules is large, the memory consumed hurts performance. In addition, there is no support for activating rules during certain times of the day or during certain days of the week.
Finally, there is no way to specify a different authentication method for a given connection. For a given service, the authentication method must be the same for all users and for all hosts.
What is needed is a generalized security policy management system which can operate free of these limitations.